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IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 
APPLICATION FOR PATENT 

METHOD AND APPARATUS IMPLEMENTED IN A FIREWALL FOR 
5 COMMUNICATING INFORMATION BETWEEN PROGRAMS EMPLOYING 

DIFFERENT PROTOCOLS 

Inventors: Ke-qin Gu, 

Tsung-Yen (Eric) Chen, 
10 Ching-Chih (Jason) Han, and 

Kuo-Chun Lee 

FIELD OF THE INVENTION 

15 The present invention generally relates to methods 

and apparatuses for communicating information between 
programs and in particular, to a method and apparatus 
implemented in a firewall for communicating information 
between programs employing different protocols. 

20 

BACKGROUND OF THE INVENTION 

In many applications it is useful for programs to 
communicate information to each other. When the programs 
employ different protocols, however, such communication 
25 cannot occur directly. Protocol translation of the 

information is first necessary in order for a program to 
correctly interpret the information transmitted by another 
program employing a different protocol. 

One such application involves communications over 
30 the Internet. With the growing popularity of the Internet, 
there is a growing demand by certain users to drive tools 
through the Internet, instead of only browsing the Internet. 
In particular, these users desire to access and use remotely 
located, real-time interactive software through the 
35 Internet. In many cases, this kind of activity requires a 
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persistent connection using a socket-based protocol, since 
such real-time interactive software were generally developed 
to run over a local area network ("LAN") . 

On the other hand, the HyperText Transfer Protocol 

5 ("HTTP") is the pervasive protocol of the World Wide Web. 
HTTP is a stateless protocol, because each command is 
executed independently, without knowledge of the commands 
that came before it. HTTP uses a request-response mechanism 
that is suitable for web browsing. HTTP, however, is 

10 different than many socket-based protocols in both format 

and handling procedure, thus making HTTP less than ideal for 
directly driving another program over the Internet. 

Firewalls add further complications since they 
generally prevent direct and persistent connections to 

15 programs behind the firewall. Therefore, even though 

firewalls support HTTP communications through the Internet, 
driving an interactive real-time program behind a firewall 
is not straightforward. Modifying the interactive real-time 
programs to accommodate such communication is also generally 

20 impractical, because of the large number and complexity of 
such legacy programs. 

OBJECTS AND SUMMARY OF THE INVENTION 

Accordingly, it is an object of the present 
25 invention to provide a method and apparatus for 

communicating information between programs employing 
different protocols. 

Another object is to provide a method and 
apparatus for communicating information over the Internet 
30 and through a firewall between programs employing different 
protocols . 
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Still another object is to provide a method and 
apparatus for communicating information over the Internet 
and through a firewall to a program requiring a persistent 
connection behind the firewall. 

5 These and additional objects are accomplished by 

the various aspects of the present invention, wherein 
briefly stated, one aspect of the invention is a method 
implemented in a firewall (e.g., 100) for communicating 
information between programs employing different protocols 

10 (e.g., 16 and 54), comprising communicating information 

between the programs by protocol translating the information 
between the different protocols. 

In another aspect of the invention, a method 
implemented in a firewall (e.g., 100) for communicating 

15 information between a first program employing a first 
application level protocol (e.g., 16) in front of the 
firewall, and a second program employing a persistent 
application level protocol (e.g., 54) behind the firewall, 
comprises: establishing a persistent connection with the 

20 second program; and communicating information between the 

first program and the second program by protocol translating 
the information between the first application level protocol 
and the persistent application level protocol. 

In yet another aspect of the invention, an 
25 apparatus in a firewall (e.g., 100) for communicating 
information between a first program employing a first 
application level protocol (e.g., 16) in front of the 
firewall, and a second program employing a persistent 
application level protocol (e.g., 54) behind the firewall, 
30 comprising a bastion host (e.g., 30) having a protocol proxy 
(e.g., 34) for establishing a persistent connection between 
the protocol proxy and the second program, and communicating 
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information between the first program and the second program 
by protocol translating the information between the first 
application level protocol and the persistent application 
level protocol. 

5 Additional objects, features and advantages of the 

various aspects of the present invention will become 
apparent from the following description of its preferred 
embodiments, which description should be taken in 
conjunction with the accompanying drawings. 

10 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 illustrates a block diagram of a system 
including an apparatus implemented in a firewall for 
communicating information between programs employing 

15 different protocols. 

FIG. 2 illustrates a web page displayed on a web 
client to facilitate a method implemented in a firewall for 
communicating information between programs employing 
different protocols. 

20 FIG. 3 illustrates a flow diagram of a method 

implemented in a firewall for communicating information 
between programs employing different protocols. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT 

25 FIG. 1 illustrates a diagram of a computer system 

including: a web client 10 having a web browser 12, a web 
page 14, and a java applet 16 residing on it; a bastion host 
30 having a packet filter 32 and a protocol proxy 34 
residing on it; and a host or web server 50 having an 

30 application program 52 and a special window manager 54 
residing on it. All communications between the protocol 



Express Mail No, EK847722780US 



Docket No. CREO.004US0 



- 5 - 



proxy 34 and the application program 52 go through the 
special window manager 54. The web client 10 communicates 
with the bastion host 30 through the Internet 20, and the 
bastion host 30 communicates with the host server 50 through 

5 a LAN 40. The bastion host 30 and the packet filter 32 

combine in a conventional manner to form a firewall 100 that 
protects the host server 50 from hacker attacks launched 
through the Internet 20. The web page 14 and the java 
applet 16 had been previously downloaded from the host 

10 server 50. 

PIG. 2 illustrates the web page 14 as it appears 
on a display screen of the web client 10. A menu area 201 
is reserved for control buttons such as, for example, 
buttons 202, 203 and 204, that generate commands through the 

15 java applet 16 which control the operation of the 

application program 52 through the special window manager 
54. An image area 205 is reserved for images received from 
the application program 52 through the special window 
manager 54. Preferably, the web page 14 resembles the 

20 display screen on the host server 50 when running the 

application program 52, including the location and functions 
of the control buttons. Although control buttons are used 
in this example, their use is merely to simplify the 
description. It is to be appreciated that tool bars with 

25 pull-down menus are more commonly used in practice and fully 
contemplated within the scope of the present invention. 

The application program 52 is a real-time 
interactive program employing a corresponding socket-based 
protocol. The special window manager 54 is preferably VNC 
30 (virtual network computing) from AT&T employing the RFB 
(remote frame buffer) protocol. Both protocols require a 
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persistent connection. As will be described in reference to 
FIG. 3, the protocol proxy 34 translates information to be 
communicated from the java applet 16 to the application 
program 52 through the VNC program 54 from HTTP to the RFB 

5 protocol. Conversely, the protocol proxy 34 translates 
return information from the application program 52 through 
the VNC program 54 to the java applet 16 from the RFB 
protocol to HTTP. 

FIG. 3 illustrates a flow diagram of a method 

10 implemented in the firewall 100 for communicating 

information between programs employing different protocols. 
Protocol proxy 34 primarily performs the method. In 301, 
the protocol proxy 34 receives information from the client 
server 10 after the information has successfully passed 

15 through the packet filter 32. The information may be in the 
form of a command or a request for information from the java 
applet 16 to the application program 52 through the VNC 
program 54. In order to be routed properly, the information 
is addressed to the protocol proxy 34 with final destination 

20 of the VNC program 54 designated in the header. The 

destination or target program is designated by the java 
applet 16 when the web client user clicks on a button in the 
menu area 201 of the web page 14. 

In 302, the protocol proxy 34 reads the final 
25 destination of the information (i.e., the target program) 

and determines whether the received information is the first 
information to be communicated to that destination in the 
current session. The determination is straightforward. If 
there is no socket currently open with the destination, then 
30 the received information is assumed to be the first 

information to be communicated to that destination in the 
current session, and the answer is yes. On the other hand, 
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if there is an open socket currently open with the 
destination, then the received information is assumed not to 
be the first information to be communicated to that 
destination in the current session, and the answer is no. 

5 Now, if the answer in 302 is yes, then in 303, the 

protocol proxy 34 first opens a socket with the target 
program (i.e., the VNC program 54). In 304, the protocol 
proxy 34 translates the information from HTTP to the RFB 
protocol. As used herein, protocol translation means any or 

10 all of providing the proper handshaking, format (e.g., 
headers, command, data, and error correction code), and 
command or data translation, as appropriate. Also, both the 
application program's persistent connection, socket-based 
protocol and the VNC program's RFB protocol are referred to 

15 herein as persistent application level protocols. 

In 305, the protocol proxy 34 communicates the 
protocol translated information to the destination or target 
program. The proxy protocol 34 may then loop back to 301 to 
receive another information from the java applet 16, or 

20 proceed to 306. In 306, the protocol proxy 34 receives a 
response from the target program, and in 307, the protocol 
proxy 34 then translates the information from the RFB 
protocol to HTTP. In 308, the protocol proxy 34 then 
communicates the protocol translated information to the java 

25 applet 16. The protocol proxy 34 may then loop back to 301 
if it receives an information packet from the java applet 
16, or loop back to 306 if it receives an information packet 
from the application program 52 through the VNC program 54. 

On the other hand, if the answer in 302 is no, 
30 then the protocol proxy 34 skips 303 and performs 304-308 as 
previously described. After the web client user terminates 
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his or her session, the java applet 16 sends a termination 
indication to the protocol proxy 34, and the protocol proxy 
34 closes the open socket with the VNC program 54. Thus, by 
maintaining the socket open in this fashion with the VNC 
5 program 54 until told to quit or terminate, a persistent 
connection is established and maintained with the program. 

Although the various aspects of the present 
invention have been described with respect to a preferred 
embodiment, it will be understood that the invention is 
10 entitled to full protection within the full scope of the 
appended claims. 
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CLAIMS 

We claim : 

1. A method implemented in a firewall for 
communicating information between programs employing 
different protocols, comprising communicating information 
between the programs by protocol translating the information 
between the different protocols. 

2. The method according to claim 1, wherein one 
of the programs is in front of the firewall employing a 
stateless application level protocol, and another of the 
programs is behind the firewall employing a persistent 
application level protocol. 

3. The method according to claim 2, further 
comprising establishing a persistent connection with the 
program behind the firewall before communicating information 
between the programs. 

4. The method according to claim 3, further 
comprising communicating with the program in front of the 
firewall over the Internet, and communicating with the 
program behind the firewall over a local area network. 

5. The method according to claim 4, wherein the 
program in front of the firewall resides on a client server. 

6. The method according to claim 4, wherein the 
program behind the firewall resides on a web server 
protected by the firewall. 
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7. A method implemented in a firewall for 
communicating information between a first program employing 
a first application level protocol in front of the firewall, 
and a second program employing a persistent application 
level protocol behind the firewall, comprising: 

establishing a persistent connection with the 

second program; and 

communicating information between the first 
program and the second program by protocol translating the 
information between the first application level protocol and 
the persistent application level protocol. 

8. The method according to claim 7, wherein the 
first application level protocol is a stateless application 
level protocol. 

9. The method according to claim 8, wherein the 
stateless application level protocol is hypertext transfer 
protocol . 

10. The method according to claim 7, wherein the 
persistent application level protocol is remote frame buffer 
protocol . 

11. The method according to claim 7, wherein the 
establishing a persistent connection comprises opening a 
socket with the second program, and maintaining the socket 
open until communication between the first program and the 
second program terminates. 

12. The method according to claim 7, further 
comprising receiving a request for information over the 
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Internet from the first program directed to the second 
program, before establishing the persistent connection with 
the second program. 

13. The method according to claim 7, further 
comprising receiving a request for information from the 
second program directed to the first program, after 
establishing the persistent connection with the second 
program. 

14. An apparatus in a firewall for communicating 
information between a first program employing a first 
application level protocol in front of the firewall, and a 
second program employing a persistent application level 
protocol behind the firewall, comprising a bastion host 
having a protocol proxy for establishing a persistent 
connection between the protocol proxy and the second 
program, and communicating information between the first 
program and the second program by protocol translating the 
information between the first application level protocol and 
the persistent application level protocol. 

15. The apparatus according to claim 14, wherein 
the first application level protocol is a stateless 
application level protocol. 

16. The apparatus according to claim 15, wherein 
the stateless application level protocol is hypertext 
transfer protocol. 

17. The apparatus according to claim 14, wherein 
the persistent application level protocol is remote frame 
buffer protocol. 
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18. The apparatus according to claim 14, wherein 
the establishing a persistent connection comprises opening a 
socket with the second program, and maintaining the socket 
open until communication between the first program and the 
second program terminates. 

19. The apparatus according to claim 14, wherein 
said bastion host further includes a packet filter, and said 
protocol proxy is further for cooperating with the packet 
filter to receive a request for information over the 
Internet from the first program directed to the second 
program, before establishing the persistent connection with 
the second program. 

20. The apparatus according to claim 14, wherein 
said protocol proxy is further for receiving a request for 
information from the second program directed to the first 
program, after establishing the persistent connection with 
the second program. 
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ABSTRACT OF THE DISCLOSURE 

A computer system includes a web client having a 
client based program residing on it, a firewall having a 
protocol proxy residing on it, and a host server having an 
application program and a special window manager residing on 
it. All communications between the protocol proxy and the 
application program go through the special window manager. 
The web client communicates with the firewall through the 
Internet, and the firewall communicates with the host server 
through a LAN. The client based program employs HTTP, and 
the special window manager employs a persistent connection, 
socket-based protocol. The protocol proxy establishes and 
maintains a persistent connection with the special window 
manager, and communicates information back and forth between 
the client based program and the application program through 
the special window manager by first protocol translating the 
information between HTTP and the special window manager 7 s 
persistent connection, socket-based protocol. 
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□ was filed on as United States Application No. or PCT International 

Application Number 

and was amended on 

(if applicable) 

I hereby state that I have reviewed and understand the contents of the above identified specification, 
including the claims, as amended by any amendment referred to above. 

I acknowledge the duty to disclose to the United States Patent and Trademark Office all information 
known to me to be material to patentability as defined in Title 37, Code of Federal Regulations, 
Section 1 .56. 

I hereby claim foreign priority benefits under Title 35, United States Code, Section 119(a)-(d) or 
Section 365(b) of any foreign application(s) for patent or inventor's certificate, or Section 365(a) of 
any PCT International application which designated at least one country other than the United States, 
listed below and have also identified below, by checking the box, any foreign application for patent or 
inventor's certificate or PCT International application having a filing date before that of the application 
on which priority is claimed. 

Prior Foreign Application (s) Priority Not Claimed 



□ 

(Number) (Country) (Day/Month/Year Filed) 

□ 

(Number) (Country) (Day/Month/Year Filed) 

□ 

(Number) (Country) (Day/Month/Year Filed) 
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I hereby claim the benefit under 35 U.S.C. Section 119(e) of any United States provisional 



application(s) listed below: 


(Application Serial No.) 


(Filing Date) 


(Application Serial No.) 


(Filing Date) 



(Application Serial No.) (Filing Date) 



I hereby claim the benefit under 35 U. S. C. Section 120 of any United States application(s), or 
Section 365(c) of any PCT International application designating the United States, listed below and, 
insofar as the subject matter of each of the claims of this application is not disclosed in the prior 
United States or PCT International application in the manner provided by the first paragraph of 35 
U.S.C. Section 1 12, I acknowledge the duty to disclose to the United States Patent and Trademark 
Office all information known to me to be material to patentability as defined in Title 37, C. F. R., 
:; I Section 1 .56 which became available between the filing date of the prior application and the national 
or PCT International filing date of this application: 



(Application Serial No.) 


(Filing Date) 


(Status) 

(patented, pending, abandoned) 


(Application Serial No.) 


(Filing Date) 


(Status) 

(patented, pending, abandoned) 


(Application Serial No.) 


(Filing Date) 


(Status) 

(patented, pending, abandoned) 



I hereby declare that all statements made herein of my own knowledge are true and that all 
statements made on information and belief are believed to be true; and further that these statements 
were made with the knowledge that willful false statements and the like so made are punishable by 
fine or imprisonment, or both, under Section 1001 of Title 18 of the United States Code and that such 
willful false statements may jeopardize the validity of the application or any patent issued thereon. 
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POWER OF ATTORNEY: As a named inventor, I hereby appoint the following attorney(s) and/or 
agent(s) to prosecute this application and transact all business in the Patent and Trademark Office 
connected therewith, (list name and registration number) 
Victor H. Okumoto 35,973 



Send Correspondence to: *uo-Chun Lee 

139 Buck Court 
Fremont, CA 94539 



Direct Telephone Calls to: (name and telephone number) 
Victor H. Okumoto (510) 792-1112 



Full name of sole or first inventor 
Ke-Qin Gu 



Sole or first inventor's signature X * / ^ , * P ate 

(^jf— S/°tl ZOVL? 



Residence 

750 N. King Road, Apt 911, San Jose , CA 95133 



Citizenship 
P.R. China 



Post Office Address 



Full name of second inventor, if any 
Tsung-Yen (Eric) Chen 



Second inventor's signature t~r , r n fr /2 , ^ Date 




Residence 

43519 Puesta Del Sol, Fremont, CA 94539 



Citizenship 
Taiwan 



Post Office Address 
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Full name of third inventor, if any 
Ching-Chih (Jason) Han 



Third inventor's signature ^ f^U^ <f/ f/^^ 0 




Residence 

40336 Dolerita Ave., Fremont, CA 94539 



Citizenship 
Taiwan 



Post Office Address 



Full name of fourth inventor, if any 

Kuo-Chun Lee ^ 

Fourth inventor's r ; — **" r ^ ^ TXT ~ - - Date 






Residence 

139 Buck CWrt, Fremont, CA 94539 



Citizenship 
Taiwan 



Post Office Address 



Full name of fifth inventor, if any 



Fifth inventor's signature Date 



Residence 



Citizenship 



Post Office Address 



Full name of sixth inventor, if any 



Sixth inventor's signature Date 



Residence 



Citizenship 



Post Office Address 
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